Channels

Services

Important security update for Apache Struts

The version 2.3.14.2 update of the Apache Struts Java framework fixes several high-risk vulnerabilities that allow attackers to inject code into the server, for example via specially crafted HTTP requests. The holes have been identified as CVE-2013-2115 and CVE-2013-1966; according to the Struts developers, the maximum threat level is "highly critical".

Vulnerability details and a Proof of Concept (PoC) can be found via the advisory link above and on the Coverity blog. Originally, updating to Struts 2.3.14.1 was supposed to close the holes, but the update failed to block all potential attack vectors. All versions prior to 2.3.14.2 are vulnerable. Those who use the framework on their servers should, therefore, ensure that it is up to date as soon as possible.

This is yet another OGNL-related problem for the Struts framework. Holes in the implementation of the expression language have previously been found, and closed, in January 2012, August 2010 and in November 2008.